Computer vandals dig worms

VANCOUVER, B.C.--Worms that can
crack into computer systems, take them over and continue spreading are
quickly becoming the rage in underground circles, said hackers and
security experts at the CanSecWest conference here this week.

The result? "I think we are going to see a lot more of these," said Greg
Shipley, director of consulting services for computer-security firm
Neohapsis.

A week ago, Shipley stayed up all night to analyze the new 1i0n Linux worm that had been
found in the wild. The worm exploits a vulnerability in widely used
domain-name service, or DNS, software used to direct Internet visitors to
the proper site.

While the worm does not seem to have spread widely, it had the potential to
do extensive damage to systems it compromised, concluded
Shipley. His results were a major factor behind advisories released March 23
by both the System Administration Networking and Security (SANS) Institute
and the National Infrastructure Protection Center.

Worse, less-technical online vandals--also called script kiddies--could
take the scripts, modify them and create a powerful malicious program,
he said.

"The script kiddies are being empowered by the automation," said
Shipley. "These kids aren't profiling systems (to target their attack).
They are playing a numbers game."

David Dittrich, senior security engineer at the University of Washington
and a computer forensics
expert, worries that the new worms will escalate just as distributed
denial-of-service (DDoS) tools did two years ago.

First seen in May 1999, DDoS tools were born as poorly constructed
programs that could flood a single Web site or Internet server with so
much data, and from so many sources, that the computer effectively would
disappear from the Internet.

In August 1999, in one of the first known uses, the University of
Minnesota came under attack. Six months later, the tools came to the
public's attention when Yahoo, ZDNet, CNN and other high-profile Web
sites suffered similar attacks.

Dittrich analyzed both 1i0n and the earlier Ramen worm and found significant
improvements in 1i0n's code. He worried that worms, like many
other hacker tools, are evolving and getting better.

"With these worms, it's fairly similar in that there (is) a lot of code
out there, someone could grab it and mutate it--now, the worm is out
there hacking with a different exploit," he said.

With worms exponentially spreading, the Internet could become a much
less friendly place, said Mixter, the German hacker who created the
Tribe Flood Network, the DDoS tool used in the attacks on Yahoo and
others a year ago.

"These are a general threat," he said, adding that--in setting up his
own domain--he had come to realize how prevalent scanning, by worms and
other automated tools, has become. "Before we had a domain name, we had 300
probes" from scanners, he said. "We don't analyze them because there is too
much data."

Worms spread by doubling and doubling
again. Robert Graham, chief technology officer with firewall maker
Network ICE, thinks that could clog up the works of the Internet.

"In some ways, I'm surprised that they haven't brought down the
Internet," he said.

And worms are set to get even more prevalent. With about 30 new
vulnerabilities uncovered every week, such automated code for cracking
systems has almost infinite potential, said Neohapsis's Shipley.

"My fear is that (hackers) will turn the worm into a framework," he
said. "Plug in an exploit and let it go."